cloud engineer
by Ulysses
Here’s the installation instructions for OpenJDK 8.
For Fedora, Redhat and Oracle Linux.
yum install java-1.8.0-openjdk |
yum install java-1.8.0-openjdk
For Debian and Ubuntu.
apt-get install openjdk-8-jre |
apt-get install openjdk-8-jre
To see if the packages (symbolic links) are there, they can be found in /etc/alternatives/, at least in Redhat 7.
ls -l /etc/alternatives/ |
ls -l /etc/alternatives/
by Ulysses
If a Linux user is having an access problem with a NFS share, and particularly with key expiration, then check if the RPC GSSD service is up and running. NFS clients uses the RPCSEC_GSS protocol to establish security credentials with a NFS server using Kerberos authentication.
Here’s an example of a key expire error due to a NFS client not authenticated properly.
df -h df: '/data/dir1': Key has expired df: '/data/dir2': Key has expired df: '/data/dir3': Key has expired |
df -h df: '/data/dir1': Key has expired df: '/data/dir2': Key has expired df: '/data/dir3': Key has expired
Check if RPC GSSD service is healthy. Restart the service if there are credential errors.
service rpc-gssd status |
service rpc-gssd status
Here’s one with an authentication issue.
[root@server ~]# service rpc-gssd status Redirecting to /bin/systemctl status rpc-gssd.service ● rpc-gssd.service - RPC security service for NFS client and server Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled) Active: active (running) since Sun 2021-01-31 03:16:43 CST; 2h 14min ago Main PID: 710 (rpc.gssd) Memory: 1.6M CGroup: /system.slice/rpc-gssd.service └─710 /usr/sbin/rpc.gssd Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: No credentials found for connection to server nas.domain.com Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: No credentials found for connection to server nas.domain.com |
[root@server ~]# service rpc-gssd status Redirecting to /bin/systemctl status rpc-gssd.service ● rpc-gssd.service - RPC security service for NFS client and server Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled) Active: active (running) since Sun 2021-01-31 03:16:43 CST; 2h 14min ago Main PID: 710 (rpc.gssd) Memory: 1.6M CGroup: /system.slice/rpc-gssd.service └─710 /usr/sbin/rpc.gssd Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: No credentials found for connection to server nas.domain.com Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found Jan 31 03:17:10 server.domain.com rpc.gssd[710]: ERROR: No credentials found for connection to server nas.domain.com
Restart the service.
service rpc-gssd stop service rpc-gssd start |
service rpc-gssd stop service rpc-gssd start
Here’s a service that’s healthy.
[root@server ~]# service rpc-gssd status Redirecting to /bin/systemctl status rpc-gssd.service ● rpc-gssd.service - RPC security service for NFS client and server Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled) Active: active (running) since Sun 2021-01-31 05:33:54 CST; 28min ago Process: 9809 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS) Main PID: 9810 (rpc.gssd) Memory: 804.0K CGroup: /system.slice/rpc-gssd.service └─9810 /usr/sbin/rpc.gssd Jan 31 05:33:54 server.domain.com systemd[1]: Starting RPC security service for NFS client and server... Jan 31 05:33:54 server.domain.com systemd[1]: Started RPC security service for NFS client and server. |
[root@server ~]# service rpc-gssd status Redirecting to /bin/systemctl status rpc-gssd.service ● rpc-gssd.service - RPC security service for NFS client and server Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled) Active: active (running) since Sun 2021-01-31 05:33:54 CST; 28min ago Process: 9809 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS) Main PID: 9810 (rpc.gssd) Memory: 804.0K CGroup: /system.slice/rpc-gssd.service └─9810 /usr/sbin/rpc.gssd Jan 31 05:33:54 server.domain.com systemd[1]: Starting RPC security service for NFS client and server... Jan 31 05:33:54 server.domain.com systemd[1]: Started RPC security service for NFS client and server.
by Ulysses
AWS EC2 Firewall rules are defined within security groups. Security groups are attached to an instance. An instance can have up to 5 security groups. Essentially, this script gathers all the security groups associated with an instance, loops through them, and then outputs the ingress and egress rules of each security group to a file in a text format.
#!/bin/bash # set variables instanceid='i-xxxxxxxxxxxxxxxx' region='us-east-1' profile='sample' # log and temp files output="ec2-sg.log" tmpfil="ec2-sg.tmp" # empty log at start > $output # get sg ids aws ec2 describe-instances \ --instance-ids $instanceid \ --region $region \ --profile $profile \ --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text > $tmpfil while read -r id; do echo '============================================' >> $output echo $id >> $output echo '============================================' >> $output echo '---------------- INGRESS -------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissions[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output echo '---------------- EGRESS --------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissionsEgress[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output done < $tmpfil |
#!/bin/bash # set variables instanceid='i-xxxxxxxxxxxxxxxx' region='us-east-1' profile='sample' # log and temp files output="ec2-sg.log" tmpfil="ec2-sg.tmp" # empty log at start > $output # get sg ids aws ec2 describe-instances \ --instance-ids $instanceid \ --region $region \ --profile $profile \ --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text > $tmpfil while read -r id; do echo '============================================' >> $output echo $id >> $output echo '============================================' >> $output echo '---------------- INGRESS -------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissions[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output echo '---------------- EGRESS --------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissionsEgress[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output done < $tmpfil
Here’s a sample output.
============================================ sg-xxxxxxxxxxxxxxx ============================================ ---------------- INGRESS ------------------- 5985 5985 tcp 10.0.0.220/32 10005 10005 tcp 10.0.0.164/32 ---------------- EGRESS -------------------- 80 80 tcp 10.0.0.14/32 40000 65535 udp 10.0.0.0/8 3389 3389 tcp 10.0.0.96/32 9389 9389 tcp 10.0.0.0/8 5985 5986 tcp 10.0.0.96/32 |
============================================ sg-xxxxxxxxxxxxxxx ============================================ ---------------- INGRESS ------------------- 5985 5985 tcp 10.0.0.220/32 10005 10005 tcp 10.0.0.164/32 ---------------- EGRESS -------------------- 80 80 tcp 10.0.0.14/32 40000 65535 udp 10.0.0.0/8 3389 3389 tcp 10.0.0.96/32 9389 9389 tcp 10.0.0.0/8 5985 5986 tcp 10.0.0.96/32
by Ulysses
You can register multiple domains to a single SSL certificate. This is particularly useful if you are hosting multiple domains on one server. This command adds more domains to your existing certificate.
certbot --expand -d existing.com -d newdomain1.com -d newdomain2.com |
certbot --expand -d existing.com -d newdomain1.com -d newdomain2.com
Check if the domains were added.
certbot certificates |
certbot certificates
Certbot certificates are valid for 90 days, but they automatically renew themselves if expiration is less than 30 days. If you need to renew manually for some odd reason, you can run this command. You can also perform a dry-run before renewing.
certbot renew
certbot renew --dry-run |
certbot renew certbot renew --dry-run
by Ulysses
Here’s a regex using the pipe symbol as OR to allow only 6 possible values.
regex="efs-(00|04|08|12|16|20)00" |
regex="efs-(00|04|08|12|16|20)00"
Matches:
efs-0000 efs-0400 efs-0800 efs-1200 efs-1600 efs-2000 |
efs-0000 efs-0400 efs-0800 efs-1200 efs-1600 efs-2000
No matches:
efs-0100 efs-2200 efs-0600 efs-1400 efs-1800 efs-1110 111022 asdb023 2330asd 1200-efs 1205 abc |
efs-0100 efs-2200 efs-0600 efs-1400 efs-1800 efs-1110 111022 asdb023 2330asd 1200-efs 1205 abc
$var is compared with $regex to find a match. $var is any of the variables above.
if [[ $var != $regex ]]; then echo "Not a match" else echo "It's a match" fi |
if [[ $var != $regex ]]; then echo "Not a match" else echo "It's a match" fi
by Ulysses
Here’s how to launch a LightSail instance using Terraform. Create a main.tf file.
terraform { required_providers { aws = { version = >= 3.22.0" source = "hashicorp/aws" } } } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_lightsail_instance" "yourinstance" { name = "yourinstance" availability_zone = "us-east-1a" blueprint_id = "amazon_linux_2" bundle_id = "nano_2_0" } |
terraform { required_providers { aws = { version = >= 3.22.0" source = "hashicorp/aws" } } } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_lightsail_instance" "yourinstance" { name = "yourinstance" availability_zone = "us-east-1a" blueprint_id = "amazon_linux_2" bundle_id = "nano_2_0" }
To launch, run the following Terraform commands.
terraform init terraform apply |
terraform init terraform apply
by Ulysses
Here’s the script how to install Docker on Ubuntu 20.04 LTS.
#!/bin/bash sudo apt-get update # install dependencies sudo apt-get -y install apt-transport-https ca-certificates curl software-properties-common # add the gpg key for docker curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - # add the repository in the Linux mint 20 sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(. /etc/os-release; echo "$UBUNTU_CODENAME") stable" sudo apt-get update # install docker e docker-compose sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(. /etc/os-release; echo "$UBUNTU_CODENAME") stable" sudo apt-get -y install docker-ce docker-compose # add the user system to sudo group, no sudo command sudo usermod -aG docker $USER # prints docker version =) docker --version |
#!/bin/bash sudo apt-get update # install dependencies sudo apt-get -y install apt-transport-https ca-certificates curl software-properties-common # add the gpg key for docker curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - # add the repository in the Linux mint 20 sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(. /etc/os-release; echo "$UBUNTU_CODENAME") stable" sudo apt-get update # install docker e docker-compose sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(. /etc/os-release; echo "$UBUNTU_CODENAME") stable" sudo apt-get -y install docker-ce docker-compose # add the user system to sudo group, no sudo command sudo usermod -aG docker $USER # prints docker version =) docker --version
by Ulysses
Here’s how to build an EFS file system using Terraform. Create a main.tf file.
terraform { required_providers { aws = { version = ">= 3.22.0" source = "hashicorp/aws" } } } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_efs_file_system" "efs-test" { creation_token = "efs-test" performance_mode = "generalPurpose" throughput_mode = "bursting" encrypted = "true" tags = { Name = "efs-test" } } resource "aws_efs_mount_target" "efs-mt-example" { file_system_id = aws_efs_file_system.efs-test.id subnet_id = "subnet-xxxxxxxxxxxxxxxxx" security_groups = ["sg-xxxxxxxxxxxxxxxxxx"] } |
terraform { required_providers { aws = { version = ">= 3.22.0" source = "hashicorp/aws" } } } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_efs_file_system" "efs-test" { creation_token = "efs-test" performance_mode = "generalPurpose" throughput_mode = "bursting" encrypted = "true" tags = { Name = "efs-test" } } resource "aws_efs_mount_target" "efs-mt-example" { file_system_id = aws_efs_file_system.efs-test.id subnet_id = "subnet-xxxxxxxxxxxxxxxxx" security_groups = ["sg-xxxxxxxxxxxxxxxxxx"] }
To launch, run terraform.
terraform init terraform apply |
terraform init terraform apply